Wired RADIUS Authentication

Exstreme Gen1 RADIUS Authentication
Exstreme Gen2 RADIUS Authentication

Exstreme Gen1 RADIUS Authentication

configure radius mgmt-access primary server 10.21.0.10 1812 client-ip 172.16.5.20 vr VR-Default
configure radius mgmt-access primary shared-secret encrypted "#$sLBECeI3y+vi56D+JsXsSaWmuvynCERCHNm1lyy21cwRTssjdoE="
configure radius mgmt-access secondary server 10.21.0.12 1812 client-ip 172.16.5.20 vr VR-Default
configure radius mgmt-access secondary shared-secret encrypted "#$aV4JSbB7qYJIrkN+xyFpkm8C3VhEMCvmeXg+CHuFmWCPuo9/BjA="
configure radius netlogin primary server 10.21.0.10 1812 client-ip 172.16.5.20 vr VR-Default
configure radius netlogin primary shared-secret encrypted "#$E1KQvrolmf3rZESnOuZCzgHvxuOncnJsRCrlsGkg9URvSuQAOQ8="
configure radius netlogin secondary server 10.21.0.12 1812 client-ip 172.16.5.20 vr VR-Default
configure radius netlogin secondary shared-secret encrypted "#$25naJ++VqZmHWFE3p940NH+BMkvA4BL2GYj1HB1WaY1AFrIt4rQ="
configure radius-accounting netlogin primary server 10.21.0.10 1813 client-ip 172.16.5.20 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "#$5f6QnmG9LhNB1pb1WQB3T+F8LIIhnl5n83AzKewrEGHPtlQkLTI="
configure radius-accounting netlogin secondary server 10.21.0.12 1813 client-ip 172.16.5.20 vr VR-Default
configure radius-accounting netlogin secondary shared-secret encrypted "#$2vpSd5mMYX46JQvXCLYqFjRnfH4AVawx57QYAm+QufLMbiRc/Do="
enable radius
enable radius mgmt-access
enable radius netlogin
enable radius-accounting netlogin

The example configuration below will enable both dot1x user and MAC authentication on a port by port basis. Note that you must create a dedicated netlogin pre-authentication vlan, in this case it's called net-login.

create vlan "net-login"
configure vlan net-login tag 2000

configure netlogin vlan net-login
enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
enable netlogin ports 1:12-46 dot1x
enable netlogin ports 1:12-46 mac
configure netlogin ports 1:12 mode mac-based-vlans
configure netlogin ports 1:12 restart
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

Exstreme Gen2 RADIUS Authentication

The example configuration below shows how to configure RADIUS for both Management and Port authentication. The server, client-ip and secrets will be unique to your environment. This example also configures and enables RADIUS accounting and dynamic authorization. Note that dynamic authorizaton (CoA) will not work unless One Policy is enabled.

configure radius mgmt-access primary server 10.21.0.10 1812 client-ip 10.128.0.65 vr VR-Default
configure radius mgmt-access primary shared-secret encrypted "#$BAlozLg2AgB4+Mj2p7/CduXt1k+zLA=="
configure radius netlogin primary server 10.21.0.10 1812 client-ip 10.128.0.65 vr VR-Default
configure radius netlogin primary shared-secret encrypted "#$DZrZ1cXlNut7x4NyiOZBQ9YsmzHsVg=="
configure radius-accounting netlogin primary server 10.21.0.10 1813 client-ip 10.128.0.65 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "#$kH9eGGJX164H6H4jeIpO5wtd6dfrfg=="
configure radius dynamic-authorization 1 server 10.21.0.10 client-ip 10.128.0.65 vr VR-Default shared-secret encrypted "#$n9pZ5gRfh8dafMk7hbWYnXPXbNCRFQ=="
enable radius mgmt-access
enable radius netlogin
enable radius-accounting netlogin
enable radius dynamic-authorization

create vlan "Net-Login"
configure vlan Net-Login tag 4000

enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
enable netlogin ports 1-21 dot1x
enable netlogin ports 1-21 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

In my testing I needed to configure an authentication delay to give Clearpass enough time to create the guest user in the database. The example command below shows how to configure a delay on a per port basis.

configure netlogin mac ports 1 timers delay 5